Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 73908

Summary: www-proxy/squid: Malformed Host Name Error Message Information Leakage
Product: Gentoo Security Reporter: Aarni Honka <aarni.honka>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: andrewbevitt
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-dothost
Whiteboard: B4 [noglsa] jaervosz
Package list:
Runtime testing required: ---

Description Aarni Honka 2004-12-09 07:09:47 UTC 
TITLE:
Squid Malformed Host Name Error Message Information Leakage

SECUNIA ADVISORY ID:
SA13408

VERIFY ADVISORY:
http://secunia.com/advisories/13408/

CRITICAL:
Less critical

IMPACT:
Exposure of system information, Exposure of sensitive information

WHERE:
>From remote

SOFTWARE:
Squid 2.x
http://secunia.com/product/310/

DESCRIPTION:
Artur Szostak has reported a vulnerability in Squid, which can be
exploited by malicious people to gain knowledge of potentially
sensitive information.

The vulnerability is caused due to an error when returning error
messages in response to malformed host names. This may in certain
circumstances leak random information about e.g. other requests in
the error messages.

The vulnerability has been reported in Squid-2.5 on all platforms.

SOLUTION:
Apply patch:
http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-dothost.patch

PROVIDED AND/OR DISCOVERED BY:
Artur Szostak

ORIGINAL ADVISORY:
http://www.squid-cache.org/bugs/show_bug.cgi?id=1143
Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev 2004-12-09 07:37:51 UTC 
http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-dothost :

Random error messages in response to malformed host name

synopsis 	In certain conditions Squid returns random data as error messages in response to malformed host name, possibly leaking random internal information which may come from other requests.
severity 	Cosmetic / Minor Security issue
date 	2004-12-07 23:45
bugzilla 	#1143
versions 	Squid-2.5
platforms 	All
patch 	squid-2.5.STABLE7-dothost.patch

______

cyfred pls validate and apply the patch
Comment 2 Matthias Geerdsen (RETIRED) gentoo-dev 2004-12-09 07:38:46 UTC 
*** Bug 73909 has been marked as a duplicate of this bug. ***
Comment 3 Andrew Bevitt 2004-12-09 16:28:27 UTC 
Patchset updated in cvs (wait for sync out)

Please use ebuild that applies PATCH_VERSION="20041210"
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-12-09 22:15:39 UTC 
Thx cyfred, marked all stable this is ready for GLSA decision. Security please vote.
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2004-12-10 01:02:32 UTC 
Error messages potentially involving the requests of other users do not seem very sensitive to me. I vote no.
Comment 6 Matthias Geerdsen (RETIRED) gentoo-dev 2004-12-12 12:30:34 UTC 
/me votes no too
looks like a minor issue
Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-12-12 23:22:00 UTC 
Closing without GLSA.